[jira] [Commented] (SLING-11538) Add display context for JSON string
[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17623124#comment-17623124
]
Konrad Windszus commented on SLING-11538:
-
Fixed in
*
https://github.com/apache/sling-org-apache-sling-scripting-sightly/commit/d677bfad1c040aaa439fa3be2d4828d37da4d5f5
(impl)
*
https://github.com/apache/sling-org-apache-sling-scripting-sightly-testing-content/commit/99729b8a62f86fd663e989a19a5a5f4c37162c8d
(IT test content)
*
https://github.com/apache/sling-org-apache-sling-scripting-sightly-testing/commit/ff9b75c66a8557fa2e78941a46f82734009e8e58
(IT)
> Add display context for JSON string
> ---
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Scripting HTL Engine 1.4.22-1.4.0
>
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17612562#comment-17612562
]
Konrad Windszus commented on SLING-11538:
-
[~radu] I enhanced the test content in
https://github.com/apache/sling-org-apache-sling-scripting-sightly-testing-content/pull/7/commits/42151fff3ed850d61d4698dcd5fdc5afafd3c025
to illustrate a concrete use case.
> Add display context for JSON string
> ---
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Scripting HTL Engine 1.4.22-1.4.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17597868#comment-17597868
]
Konrad Windszus commented on SLING-11538:
-
The use case is inline JSON in HTML. Writing that in Java methods is for sure
possible but breaks the model/view separation from my PoV. The JSON can be
generated far easier in HTL if just that missing context is added.
I am gonna improve the test case to show a more realistic scenario where the
same getter method is used in both regular HTML and in inline JSON values.
> Add display context for JSON string
> ---
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Scripting HTL Engine 1.4.22-1.4.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17597629#comment-17597629
]
Radu Cotescu commented on SLING-11538:
--
[~kwin], what's the use case? The [test you
added|https://github.com/apache/sling-org-apache-sling-scripting-sightly-testing-content/pull/7/files#diff-05f462b0429b9368cac540b6f079b6e8fb3e3f85b828a8be2e95dde9b8cc8e2c]
doesn't help me understand it. Why can't you output JSON using a specialised
JSON library?
> Add display context for JSON string
> ---
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Scripting HTL Engine 1.4.22-1.4.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17579256#comment-17579256
]
Konrad Windszus commented on SLING-11538:
-
[~castelo] Commons Lang3 is already an existing dependency of the HTL Engine
bundle, while Commons Text is not. Also Commons Text does not ship e.g. with
AEM 6.5. As I consider the underlying code pretty stable (and for sure upwards
compatible till Commons Lang 4 appears) I would rather stay with the deprecated
Commons Lang3 implementation for the time being.
bq. Also, I think will be good to wrap the output with xssApi.getValidJson() to
ensure the result is correct
I don't think that we need another XSS protection for JSON String but rather
for a dedicated context encapsulating the full JSON structure. I cannot think
of a XSS scenario with properly escaped JSON strings only. Feel free to raise a
new issue for a display context for the full JSON. Unfortunately
{{XSSApi.getValidJson()}} cannot be used for such a context (as that just
returns the second argument in case JSON is invalid), but rather requires a
library like https://github.com/OWASP/json-sanitizer.
> Add display context for JSON string
> ---
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Scripting HTL Engine 1.4.22-1.4.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17579254#comment-17579254
]
Pablo Castelo commented on SLING-11538:
---
[~kwin] I did some tests yesterday with StringEscapeUtils and it works fine but
is deprecated, maybe use the new version that is also available in a sling
instance as a bundle
[https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html.|https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html]
I didn't try yet, but the possible method will be
[https://commons.apache.org/proper/commons-text/javadocs/api-release/org/apache/commons/text/StringEscapeUtils.html#escapeEcmaScript(java.lang.String)]
Also, I think will be good to wrap the output with xssApi.getValidJson() to
ensure the result is correct
> Add display context for JSON string
> ---
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Fix For: Scripting HTL Engine 1.4.22-1.4.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17578978#comment-17578978
]
Konrad Windszus commented on SLING-11538:
-
As implementation one could either write such an escape method from scratch or
use the JSON-P Standard
([https://javaee.github.io/jsonp/).|https://javaee.github.io/jsonp/)]
> Add display context for JSON string
> ---
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Scripting HTL Runtime 1.2.8-1.4.0
>
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (SLING-11538) Add display context for JSON string
[
https://issues.apache.org/jira/browse/SLING-11538?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17578976#comment-17578976
]
Konrad Windszus commented on SLING-11538:
-
The JSON spec
([https://www.ecma-international.org/wp-content/uploads/ECMA-404_2nd_edition_december_2017.pdf])
says the following for chapter 9 (String):
{quote}A string is a sequence of Unicode code points wrapped with quotation
marks (U+0022). All code points may
be placed within the quotation marks except for the code points that must be
escaped: quotation mark
(U+0022), reverse solidus (U+005C), and the control characters U+ to
U+001F. There are two-character
escape sequence representations of some characters.
\" represents the quotation mark character (U+0022).
represents the reverse solidus character (U+005C).
\/ represents the solidus character (U+002F).
\b represents the backspace character (U+0008).
\f represents the form feed character (U+000C).
\n represents the line feed character (U+000A).
\r represents the carriage return character (U+000D).
\t represents the character tabulation character (U+0009).
So, for example, a string containing only a single reverse solidus character
may be represented as "
".
Any code point may be represented as a hexadecimal escape sequence. The meaning
of such a hexadecimal
number is determined by ISO/IEC 10646. If the code point is in the Basic
Multilingual Plane (U+ through
U+), then it may be represented as a six-character sequence: a reverse
solidus, followed by the
lowercase letter u, followed by four hexadecimal digits that encode the code
point. Hexadecimal digits can be
© Ecma International 2017 5
digits (U+0030 through U+0039) or the hexadecimal letters A through F in
uppercase (U+0041 through
U+0046) or lowercase (U+0061 through U+0066). So, for example, a string
containing only a single reverse
solidus character may be represented as "\u005C".
The following four cases all produce the same result:
"\u002F"
"\u002f"
"\/"
"/"
To escape a code point that is not in the Basic Multilingual Plane, the
character may be represented as a
twelve-character sequence, encoding the UTF-16 surrogate pair corresponding to
the code point. So for
example, a string containing only the G clef character (U+1D11E) may be
represented as "\uD834\uDD1E".
However, whether a processor of JSON texts interprets such a surrogate pair as
a single code point or as an
explicit surrogate pair is a semantic decision that is determined by the
specific processor.
Note that the JSON grammar permits code points for which Unicode does not
currently provide character
assignments.
{quote}
> Add display context for JSON string
> ---
>
> Key: SLING-11538
> URL: https://issues.apache.org/jira/browse/SLING-11538
> Project: Sling
> Issue Type: Improvement
> Components: HTL
>Reporter: Konrad Windszus
>Priority: Major
> Fix For: Scripting HTL Runtime 1.2.8-1.4.0
>
>
> It would be useful to add an output context to HTL to be used inside JSON. As
> JSON is very complex, the most essential one which currently cannot be
> achieved with any other existing contexts is escaping for a JSON String value
> (compare with https://github.com/adobe/htl-spec/issues/5).
> I propose to introduce a new context {{jsonString}} next to {{scriptString}}
> in
> https://github.com/apache/sling-org-apache-sling-scripting-sightly/blob/192d953514e6e579428cda157a7e83fc2a05cc01/src/main/java/org/apache/sling/scripting/sightly/impl/engine/extension/XSSRuntimeExtension.java#L93.
> As it is not part of the official HTL spec at
> https://github.com/adobe/htl-spec/blob/master/SPECIFICATION.md#121-display-context
> it needs to be listed as Sling-specific addition in
> https://sling.apache.org/documentation/bundles/scripting/scripting-htl.html#extensions-of-the-htl-specification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
